OpenSSL contained a software work-around for a bug in SSL handling inMicrosoft Internet Explorer version 3.0.2. This work-around is enabled inmost servers that use OpenSSL to provide support for SSL and TLS. YutakaOiwa discovered that this work-around could allow an attacker, acting as a"man in the middle" to force an SSL connection to use SSL 2.0 rather than astronger protocol such as SSL 3.0 or TLS 1.0. The Common Vulnerabilitiesand Exposures project (cve.mitre.org) has assigned the name CAN-2005-2969to this issue.

A bug was also fixed in the way OpenSSL creates DSA signatures. A cachetiming attack was fixed in RHSA-2005-476 which caused OpenSSL to do privatekey calculations with a fixed time window. The DSA fix for this was notcomplete and the calculations are not always performed within afixed-window. The Common Vulnerabilities and Exposures project(cve.mitre.org) has assigned the name CAN-2005-0109 to this issue.

Users are advised to upgrade to these updated packages, which remove theMISE 3.0.2 work-around and contain patches to correct these issues.

Note: After installing this update, users are advised to eitherrestart all services that use OpenSSL or restart their system.

4. Solution:

Before applying this update, make sure all previously released erratarelevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriateRPMs being upgraded on your system.